gateway: bump actions/checkout from 4.2.2 to 6.0.2

[dependabot]

Bumps actions/checkout from 4.2.2 to 6.0.2.

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

[raboof]

This is curious, actions/checkout@v6 is actually find per the policy, I wonder if the rat action triggered dependabot into being more fine-grained? I think in this case having all actions use actions/checkout@v6 might actually be fine?

[potiuk]

This is curious, actions/checkout@v6 is actually find per the policy, I wonder if the rat action triggered dependabot into being more fine-grained? I think in this case having all actions use actions/checkout@v6 might actually be fine?

Or maybe we should cange all the actions (even built-in ) with hashed versions (and keep the latest version) ?

With cooldown it's safe, but still when we have individual action changes it's just better to have smaller prs incrementally adding things - easier to review and go back. Nice thing about fixed version (hashed or vN.Y.Z) is that in case of any problems with newer version you can easily go back by reverting.

The v5 or v6 has this problem that it might potentially break without changing anything and if it is noticed late, it might be difficult to pin-point the issues.

Pinned versions are way more predictable and easier to fix if broken.

[raboof]

I generally agree, though the GH actions have a pretty good track record of being safe (both security- and behavior-wise). Not sure how much churn they would generate.

I'm fine with either direction here.